Special Summer Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

CertNexus CFR-410 CyberSec First Responder (CFR) Exam Exam Practice Test

Page: 1 / 18
Total 180 questions

CyberSec First Responder (CFR) Exam Questions and Answers

Question 1

During which phase of a vulnerability assessment would a security consultant need to document a requirement to retain a legacy device that is no longer supported and cannot be taken offline?

Options:

A.

Conducting post-assessment tasks

B.

Determining scope

C.

Identifying critical assets

D.

Performing a vulnerability scan

Question 2

A system administrator identifies unusual network traffic from outside the local network. Which of the following

is the BEST method for mitigating the threat?

Options:

A.

Malware scanning

B.

Port blocking

C.

Packet capturing

D.

Content filtering

Question 3

Which of the following attack vectors capitalizes on a previously undisclosed issue with a software application?

Options:

A.

Zero-Day Exploit

B.

Brute Force

C.

Misconfiguration

D.

Ransomware

E.

Phishing

Question 4

What are the two most appropriate binary analysis techniques to use in digital forensics analysis? (Choose two.)

Options:

A.

Injection Analysis

B.

Forensic Analysis

C.

Static Analysis

D.

Dynamic Analysis

Question 5

A system administrator has been tasked with developing highly detailed instructions for patching managed assets using the corporate patch management solution. These instructions are an example of which of the following?

Options:

A.

Process

B.

Procedure

C.

Standard

D.

Policy

Question 6

Which common source of vulnerability should be addressed to BEST mitigate against URL redirection attacks?

Options:

A.

Application

B.

Users

C.

Network infrastructure

D.

Configuration files

Question 7

An administrator believes that a system on VLAN 12 is Address Resolution Protocol (ARP) poisoning clients on the network. The administrator attaches a system to VLAN 12 and uses Wireshark to capture traffic. After

reviewing the capture file, the administrator finds no evidence of ARP poisoning. Which of the following actions should the administrator take next?

Options:

A.

Clear the ARP cache on their system.

B.

Enable port mirroring on the switch.

C.

Filter Wireshark to only show ARP traffic.

D.

Configure the network adapter to promiscuous mode.

Question 8

Which of the following plans helps IT security staff detect, respond to, and recover from a cyber attack?

Options:

A.

Data Recovery Plan

B.

Incident Response Plan

C.

Disaster Recovery Plan

D.

Business Impact Plan

Question 9

An employee discovered the default credentials in DB servers, which were found by using a word list of commonly used and default passwords in Hydra, the tool behind the Brute functionality. The use of the word list in Hydra is an example of what type of password cracking?

Options:

A.

Rainbow tables

B.

hashcat

C.

Markov chains

D.

Brute-force

E.

Dictionary attack

Question 10

It was recently discovered that many of an organization’s servers were running unauthorized cryptocurrency mining software. Which of the following assets were being targeted in this attack? (Choose two.)

Options:

A.

Power resources

B.

Network resources

C.

Disk resources

D.

Computing resources

E.

Financial resources

Question 11

What are three benefits of security logging and monitoring? (Choos)

Options:

A.

Feeding intrusion detection systems

B.

Satisfying regulatory compliance requirements

C.

Data collection

D.

Forensic analysis and investigations

E.

Penetration testinge three.)

Question 12

Which of the following types of attackers would be MOST likely to use multiple zero-day exploits executed against high-value, well-defended targets for the purposes of espionage and sabotage?

Options:

A.

Cybercriminals

B.

Hacktivists

C.

State-sponsored hackers

D.

Cyberterrorist

Question 13

Which of the following is considered a weakness or gap in a security program that can be exploited to gain unauthorized access?

Options:

A.

Risk

B.

Threat

C.

Asset

D.

Vulnerability

Question 14

An incident responder has collected network capture logs in a text file, separated by five or more data fields.

Which of the following is the BEST command to use if the responder would like to print the file (to terminal/ screen) in numerical order?

Options:

A.

cat | tac

B.

more

C.

sort –n

D.

less

Question 15

Network infrastructure has been scanned and the identified issues have been remediated. What is the next step in the vulnerability assessment process?

Options:

A.

Generating reports

B.

Establishing scope

C.

Conducting an audit

D.

Assessing exposures

Question 16

Which of the following technologies would reduce the risk of a successful SQL injection attack?

Options:

A.

Reverse proxy

B.

Web application firewall

C.

Stateful firewall

D.

Web content filtering

Question 17

Which asset would be the MOST desirable for a financially motivated attacker to obtain from a health insurance company?

Options:

A.

Transaction logs

B.

Intellectual property

C.

PII/PHI

D.

Network architecture

Question 18

An incident response team is concerned with verifying the integrity of security information and event

management (SIEM) events after being written to disk. Which of the following represents the BEST option for addressing this concern?

Options:

A.

Time synchronization

B.

Log hashing

C.

Source validation

D.

Field name consistency

Question 19

A company has noticed a trend of attackers gaining access to corporate mailboxes. Which of the following

would be the BEST action to take to plan for this kind of attack in the future?

Options:

A.

Scanning email server for vulnerabilities

B.

Conducting security awareness training

C.

Hardening the Microsoft Exchange Server

D.

Auditing account password complexity

Question 20

A security analyst needs to capture network traffic from a compromised Mac host. They attempt to execute the tcpdump command using their general user account but continually receive an "Operation Not Permitted" error.

Use of which of the following commands will allow the analyst to capture traffic using tcpdump successfully?

Options:

A.

sudo

B.

netstat

C.

chroot

D.

chmod

E.

lsof

Question 21

Which of the following sources is best suited for monitoring threats and vulnerabilities?

Options:

A.

QVVASP

B.

CVE

C.

DISA STIG

D.

SANS

Question 22

A government organization responsible for critical infrastructure is being attacked and files on the server been deleted. Which of the following are the most immediate communications that should be made regarding the incident? (Choose two.)

Options:

A.

Notifying law enforcement

B.

Notifying the media

C.

Notifying a national compute emergency response team (CERT) or cybersecurity incident response team (CSIRT)

D.

Notifying the relevant vendor

E.

Notifying a mitigation expert

Question 23

What term means that data is valid and not corrupt?

Options:

A.

Confidentiality

B.

Authorization

C.

Integrity

D.

Authentication

Question 24

After imaging a disk as part of an investigation, a forensics analyst wants to hash the image using a tool that supports piecewise hashing. Which of the following tools should the analyst use?

Options:

A.

md5sum

B.

sha256sum

C.

md5deep

D.

hashdeep

Question 25

Which service is commonly found on port 3306?

Options:

A.

BitTorrent

B.

MySQL

C.

MS-RPC

D.

Oracle SQL*Net Listener

Question 26

Which part of a proactive approach to system security is responsible for identifying all possible threats to a system to be categorized and analyzed?

Options:

A.

Threat assessment

B.

Threat intelligence

C.

Threat modeling

D.

Threat hunting

Question 27

An incident handler is assigned to initiate an incident response for a complex network that has been affected

by malware. Which of the following actions should be taken FIRST?

Options:

A.

Make an incident response plan.

B.

Prepare incident response tools.

C.

Isolate devices from the network.

D.

Capture network traffic for analysis.

Question 28

Detailed step-by-step instructions to follow during a security incident are considered:

Options:

A.

Policies

B.

Guidelines

C.

Procedures

D.

Standards

Question 29

A Windows system administrator has received notification from a security analyst regarding new malware that executes under the process name of “armageddon.exe” along with a request to audit all department workstations for its presence. In the absence of GUI-based tools, what command could the administrator execute to complete this task?

Options:

A.

ps -ef | grep armageddon

B.

top | grep armageddon

C.

wmic process list brief | find “armageddon.exe”

D.

wmic startup list full | find “armageddon.exe”

Question 30

A common formula used to calculate risk is:+ Threats + Vulnerabilities = Risk. Which of the following represents the missing factor in this formula?

Options:

A.

Exploits

B.

Security

C.

Asset

D.

Probability

Question 31

Which are successful Disaster Recovery Plan best practices options to be considered? (Choose three.)

Options:

A.

Isolate the services and data as much as possible.

B.

Back up to a NAS device that is attached 24 hours a day, 7 days a week.

C.

Understand which processes are critical to the business and have to run in disaster recovery.

D.

Maintain integrity between primary and secondary deployments.

E.

Store any data elements in the root storage that is used for root access for the workspace.

Question 32

Which term describes the process of collecting logs from many sources across an IT infrastructure into a single, centralized platform to be reviewed and analyzed?

Options:

A.

Log processing

B.

Log aggregation

C.

Log monitoring

D.

Log normalization

E.

Log correlation

Question 33

If a hacker is attempting to alter or delete system audit logs, in which of the following attack phases is the hacker involved?

Options:

A.

Covering tracks

B.

Expanding access

C.

Gaining persistence

D.

Performing reconnaissance

Question 34

Which of the following represents a front-end security capability that addresses cyber resiliency?

Options:

A.

Multi-factor authentication

B.

Immutability of backups

C.

Key management

D.

Physical separation of backups

Question 35

An administrator investigating intermittent network communication problems has identified an excessive amount of traffic from an external-facing host to an unknown location on the Internet. Which of the following

BEST describes what is occurring?

Options:

A.

The network is experiencing a denial of service (DoS) attack.

B.

A malicious user is exporting sensitive data.

C.

Rogue hardware has been installed.

D.

An administrator has misconfigured a web proxy.

Question 36

The Key Reinstallation Attack (KRACK) vulnerability is specific to which types of devices? (Choose two.)

Options:

A.

Wireless router

B.

Switch

C.

Firewall

D.

Access point

E.

Hub

Question 37

What is baseline security?

Options:

A.

A measurement used when a system changes from its original baseline.

B.

An organization's insecure starting point before fixing any security issues.

C.

An organization's secure starting point after fixing any security issues.

D.

A document stipulating constraints and practices that a user must agree to for access to an organization's network.

Question 38

In which of the following attack phases would an attacker use Shodan?

Options:

A.

Scanning

B.

Reconnaissance

C.

Gaining access

D.

Persistence

Question 39

Which of the following security best practices should a web developer reference when developing a new web- based application?

Options:

A.

Control Objectives for Information and Related Technology (COBIT)

B.

Risk Management Framework (RMF)

C.

World Wide Web Consortium (W3C)

D.

Open Web Application Security Project (OWASP)

Question 40

According to SANS, when should an incident retrospective be performed?

Options:

A.

After law enforcement has identified the perpetrators of the attack.

B.

Within six months following the end of the incident.

C.

No later than two weeks from the end of the incident.

D.

Immediately concluding eradication of the root cause

Question 41

Which two answer options correctly highlight the difference between static and dynamic binary analysis techniques? (Choose two.)

Options:

A.

Dynamic analysis tells everything the program can do. and static analysis tells exactly what the program does when it is executed in a given environment and with a particular input.

B.

Static analysis tells everything the program can do. and dynamic analysis tells exactly what the program does when it is executed in a given environment and with a particular input.

C.

Dynamic analysis examines the binary without executing it, while static analysis executes the program and observes its behavior.

D.

Static analysis examines the binary without executing it. while dynamic analysis executes the program and observes its behavior.

Question 42

During a security investigation, a suspicious Linux laptop is found in the server room. The laptop is processing information and indicating network activity. The investigator is preparing to launch an investigation to

determine what is happening with this laptop. Which of the following is the MOST appropriate set of Linux commands that should be executed to conduct the investigation?

Options:

A.

iperf, traceroute, whois, ls, chown, cat

B.

iperf, wget, traceroute, dc3dd, ls, whois

C.

lsof, chmod, nano, whois, chown, ls

D.

lsof, ifconfig, who, ps, ls, tcpdump

Question 43

A security administrator needs to review events from different systems located worldwide. Which of the

following is MOST important to ensure that logs can be effectively correlated?

Options:

A.

Logs should be synchronized to their local time zone.

B.

Logs should be synchronized to a common, predefined time source.

C.

Logs should contain the username of the user performing the action.

D.

Logs should include the physical location of the action performed.

Question 44

After successfully enumerating the target, the hacker determines that the victim is using a firewall. Which of the following techniques would allow the hacker to bypass the intrusion prevention system (IPS)?

Options:

A.

Stealth scanning

B.

Xmas scanning

C.

FINS scanning

D.

Port scanning

Question 45

Which approach to cybersecurity involves a series of defensive mechanisms that are layered to protect valuable data and information?

Options:

A.

Network segmentation

B.

Defense in depth

C.

Tiered security

D.

Endpoint detection and response

Question 46

During recovery from an incident, which three options should a company focus on? (Choose three.)

Options:

A.

Evaluating the success of the current incident response plan

B.

Ensuring proper notifications have been made

C.

Providing details of the breach to media

D.

Identifying the responsible parties

E.

Restoring system and network connectivity

F.

Determining the financial impact of the breach

Question 47

Which three of the following are included in encryption architecture? (Choose three.)

Options:

A.

Certificate

B.

Encryption keys

C.

Encryption engine

D.

Database encryption

E.

Data

Question 48

A company website was hacked via the following SQL query:

email, passwd, login_id, full_name FROM members

WHERE email = “attacker@somewhere.com”; DROP TABLE members; –”

Which of the following did the hackers perform?

Options:

A.

Cleared tracks of attacker@somewhere.com entries

B.

Deleted the entire members table

C.

Deleted the email password and login details

D.

Performed a cross-site scripting (XSS) attack

Question 49

Which of the following methods are used by attackers to find new ransomware victims? (Choose two.)

Options:

A.

Web crawling

B.

Distributed denial of service (DDoS) attack

C.

Password guessing

D.

Phishing

E.

Brute force attack

Question 50

What kind of measures and controls are implemented when employees get assigned personal, unique badges when they join the organization, and they remain valid until the employee's last day of work?

Options:

A.

Human resources security

B.

Communications security

C.

Physical security

D.

Operations security

Question 51

Which of the following is a method of reconnaissance in which a ping is sent to a target with the expectation of receiving a response?

Options:

A.

Active scanning

B.

Passive scanning

C.

Network enumeration

D.

Application enumeration

Question 52

A Linux system administrator found suspicious activity on host IP 192.168.10.121. This host is also establishing a connection to IP 88.143.12.123. Which of the following commands should the administrator use to capture only the traffic between the two hosts?

Options:

A.

# tcpdump -i eth0 host 88.143.12.123

B.

# tcpdump -i eth0 dst 88.143.12.123

C.

# tcpdump -i eth0 host 192.168.10.121

D.

# tcpdump -i eth0 src 88.143.12.123

Question 53

Which of the following is an automated password cracking technique that uses a combination of uppercase and lowercase letters, 0-9 numbers, and special characters?

Options:

A.

Dictionary attack

B.

Password guessing

C.

Brute force attack

D.

Rainbow tables

Question 54

When reviewing log files from a recent incident, the response team discovers that most of the network-based indicators are IP-based. It would be helpful to the response team if they could resolve those IP-based indicators to hostnames. Which of the following is BEST suited for this task?

Options:

A.

DNS

B.

RIP

C.

WINS

D.

NTP

E.

NFS

Page: 1 / 18
Total 180 questions